Social Engineering Blogs

An Aggregator for Blogs About Social Engineering and Related Fields

Security Awareness Content: Challenges of Using Punishment

Punishment is evident in all aspects of our life to everything from getting drivers to stop speeding, to getting the dog to not bark at the mailman. Because of this, it is no wonder that several go to punishment when wanting to change user behavior. While punishment is a very powerful tool- that can produce almost immediate change in behavior- it is very hard to control and very hard to maintain. For these reasons, I rarely recommend using punishment when creating and effective security awareness architecture.

sexWhat is the most effective punishment?

Want to know how to reduce user behavior with almost 100% effectiveness? Deprive users of food, water, and/or sex. Go forth and develop content.

No? I didn’t think so. When making security awareness content, we as info sec professionals are not able to use the most effective punishers and therefore have to evaluate our user base to figure out what is the next best thing. This punishment has to be easy to implement and applicable across your entire user base. Furthermore it has to be easy to maintain. Lets say you have an issue with users not properly disposing of PII so you decide to implement a termination policy for all instances of improperly handled or disposed of PII. While very effective (because it gets at the users ability to purchase food and water) it is not easy to maintain. You will either end up with a lot less employees REAL quick or you turn into the boy that cried wolf. Lets say that instead of termination, you force the employee to click through a 10-slide power point outlining what PII is and how to properly dispose of it. That won’t work either for the opposite reason- even though it’s easy to maintain, it’s effectiveness, as a punisher will wear off drastically. Think of this similarly to getting desensitized to a pop-up notification. It is for this reason choosing a contingency is often one of the hardest parts of using punishment in a content plan.

Indirectly punishing behaviors

Imagine that your organization has a major problem with users loosing mobile devices, laptops, and tablets. A loss is reported at least once every two weeks and each lost device exposes your organization to a data breech of some highly sensitive information (e.g., customer credit card information). In an effort to reduce this behavior, and keep your organization out of the news, you inflict a $100 penalty for loss of a phone, $300 for tablets, and $500 for a laptop. You see an immediate drop in device loss but after a few months some other patterns start to emerge. First, calls to report anything to the security team significantly reduce. This includes reports about phishing attacks and suspicious computer behavior. Second, when a device is lost, users are taking an average of 2 weeks to inform the security team. In the past, lost devices were reported within 24 hours. Both of these present a major problem to your organization and are the unfortunate side effect of a poorly used punishment. This example demonstrates how even though a punishment is inflicted upon a specific behavior it does not guarantee that the effect will be isolated. The plan was to reduce loss of devices, but users were also being deterred from reporting the loss as well as calling the security team at all.

While major, these two topics are just a few in a long list of reasons why using punishment to change user behavior is difficult to do. To be effective, a large amount of control is needed otherwise you can create more problems than you started with.

Expressed Sadness

On March 21st 2013 a horrific and tragic event took place in Brunswick, Georgia.

A 13-month old baby boy was shot in the face in a robbery attempt at nine in the morning.  An even more astounding fact in the case is that the assailants were two young kids, the oldest originally thought to be around 15 -years old.

The link below is to a short video before the suspects were caught and show West and her husband’s very raw, genuine emotions.

The video above is of the suspects in court.  The oldest suspect in the case is 17 years old and his cohort only 15.  Neither suspect entered a plea.

Sherry West, baby Antonio’s mom said, “I just hope, you know, that the shooter dies. I mean, I had to watch my baby die and I want him to die. A life for a life.”

Immediately after the shooting, detectives searched West’s home for a gun and conducted gun residue tests on both her and the baby’s father, West said, adding that the tests were negative and the search did not turn up a gun.

Update: Facial Expressions Before, During, After War

My Modern Met.com  has reported on a project titled We Are the Not Dead by photographer Lalage Snow.

Similar to images in photographer Claire Felicie’s series of soldiers before, during and after their time oversees, Snow, who is currently based in Kabul, Afghanistan, embarked on this 8-month-long project featuring portraits of British soldiers before, during, and after their deployment in Afghanistan.

In a past blog, Face Changes, we reported on Felicie’s original project, which tried to visually answer the question,  Does tragedy truly show up in our eyes and brow ?

Like Felicie’s photos, Snow has the before, during and after shots in juxtaposition (i.e. panel style) so that the viewer can see the physical changes soldiers go through when exposed to war.  Not posted in this article are the quotes from each soldier that accompany Snow’s photos, which gives the viewer an added depth and insight into the photograph and the life of  a soldier.

The following picture is of Private Chris MacGregor age 24.

Courtesy Lalage Snow

The next Picture is of Private Ben Frater age 21.

Courtesy of Lalage Snow

What Do You See in these photos ?